A high-severity vulnerability has been identified in the "Redirection for Contact Form 7" WordPress plugin, allowing an attacker to delete arbitrary files on the server. Successful exploitation could lead to a complete website outage, data corruption, or the disabling of security measures. Immediate action is required to update the affected plugin to prevent potential site compromise.

The vulnerability exists within the delete_associated_files function of the plugin. This function fails to properly sanitize or validate user-supplied input representing a file path. An authenticated attacker, potentially with low-level privileges, can craft a malicious request containing path traversal sequences (e.g., ../../) to navigate outside of the intended directory and target critical files anywhere on the server's file system, limited only by the web server's permissions. Deleting files such as wp-config.php, core WordPress files, or system configuration files can render the entire website or server inoperable.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant risk to business operations. Exploitation can lead to a severe denial-of-service condition, causing a complete website outage and disrupting service delivery. The deletion of critical configuration files or application data can result in data loss, requiring extensive and costly recovery efforts. The resulting downtime and potential data integrity issues can cause significant reputational damage, loss of customer trust, and direct financial losses.

Immediate Action: Administrators must immediately update the "Redirection for Contact Form 7" plugin to the latest patched version available from the official WordPress repository. If the plugin is not essential for business operations, the most secure course of action is to deactivate and completely remove it from the WordPress installation.

Proactive Monitoring: Monitor web server access logs for suspicious POST or GET requests targeting the plugin's administrative functions, specifically looking for file paths that include path traversal characters (../). Implement a File Integrity Monitoring (FIM) solution to generate alerts upon unauthorized deletion or modification of critical files within the webroot (e.g., wp-config.php) and key system directories.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Implement a Web Application Firewall (WAF) with strict rules to detect and block path traversal attack patterns.
• Temporarily disable the plugin until a patch can be applied.
• Enforce strict file system permissions for the web server user account to limit its ability to write or delete files outside of necessary directories.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for a complete denial of service, this vulnerability requires immediate attention. We strongly recommend that all organizations using the "Redirection for Contact Form 7" plugin apply the vendor-supplied patch without delay. If the plugin's functionality is not critical, the most effective risk mitigation strategy is to remove it entirely. Proactive patching is essential to prevent operational disruption and protect against opportunistic attacks.